What is Single Sign-On . Single sign-on (SSO) is a specialized form of software authentication that enables a user to authenticate once and gain access to the resources of multiple software systems. . E-SSO. Enterprise single sign-on (E-SSO), also called legacy single sign-on, after primary user a
2. What is Single Sign-On Single sign-on (SSO) is a specialized form of software authentication that enables a user to authenticate once and gain access to the resources of multiple software systems.
Enterprise single sign-on (E-SSO), also called legacy single sign-on, after primary user authentication, intercepts login prompts presented by secondary applications, and automatically fills in fields such as a login ID or password.
E-SSO systems allow for interoperability with applications that are unable to externalize user authentication, essentially through "screen scraping."
Web single sign-on (Web-SSO), also called Web access management (Web-AM) works strictly with applications and resources accessed with a web browser. Access to web resources is intercepted, either using a web proxy server or by installing a component on each targeted web server.
Unauthenticated users who attempt to access a resource are diverted to an authentication service, and returned only after a successful sign-on. Cookies are most often used to track user authentication state, and the Web-SSO infrastructure extracts user identification information from these cookies, passing it into each web resource.
5. Federation Federation is a new approach, also for web applications, which uses standards-based protocols to enable one application to assert the identity of a user to another, thereby avoiding the need for redundant authentication. Standards to support federation include SAML and WS-Security.
6. Wouldn’t it be nice… If there were one application that did everything I needed?
Or if all of my applications, vendors & partners would cooperate
If someone would invent the ‘Magic Button’….
7. In Reality… Students’, Faculty and Staff need access to:
WebCT – Learning Management System
Questionmark’s Perception – Exam, Quiz tool
WebAdvisor – Datatel’s Web Application delivering: Registration, e-commerce, Budget etc…
Web Based e-Mail
Intranet – Forms, Custom Applications, News, Reporting
8. Sticky Note Credentials System
9. Ultimate Hiding Spot…
10. Benefits: Users, Support Staff, and Company All Save Time!
Users: The users can now simply run the application without having to remember a complicated logon sequence. They now can click the application icon and use the application.
Instant Value: According to the Gartner Group report, 30% - 40% of support calls are due to password resets. Single Sign-On will immediately eliminate many of these types of calls.
Reduce Support Costs: At a reported cost of $17 - $32 per call, that will translate into an immediate cost savings when using Single Sign-On.
Security is also strengthened, since the users are no longer writing their application names and passwords on sticky notes or their desk calendar for all eyes to see.
11. Selecting a Solution Must be web based
No client side agent, application or plug-in’s
No coding for each SSO’ed application; non-invasive
Version 3’s Simple Sign-On
12. Vendor Research Imprivata
E-SSO, Desktop solution
Aprox $70,000 + $14,000 maintenance
Hardware only solution
13. Vendor Research Cont. Citrix
Password manager both desktop and web based
Extends AD schema, or uses local file
No site license
$107 per user
4,000 concurrent users $428,000
2,000 named users $106,800
14. Vendor Research Cont.. Protocom
Desktop product, client required for all users
Extends AD schema
2,000 staff and 50,000 students = $140,000 with $8,000 support
15. Vendor Research Cont… Version 3’s Simple Sign-On
E-SSO with desktop client
Web SSO in Beta
No agent or plug-in for Web SSO
Takes advantage of MS ADAM so the AD schema doesn’t need extended
Dual key encryption
Auditing and monitoring
Site license for $60,000 if participant in beta
16. Project Planning Formed SSO Implementation team
Project Manager - Marcus
Technical Lead - Russ
Manager of Network
Manager of Helpdesk
Chief Information Security Officer
Web Systems Architect
17. Role of Team Members Project Manager
Leads project, regular meetings, primary contact with vendor, provides status reports, identifies risks, and manages resources.
Liaison to vendor CTO and developers, leads resolution on technical issues, and integrates technology into current environment.
18. Role of Team Members Cont. Technical Writer
Develop communications, email, flyer etc…
Responsible for provisioning SSO’ed applications.
Learn the SSO administrator tool, troubleshoot, SSO build installs
Manager of Network
Design of hardware architecture
19. Role of Team Members Cont.. Manager of Helpdesk
Train staff on troubleshooting procedures related to SSO
Chief Information Security Officer
Develops security policy concerning SSO, and audits SSO environment for potential risk
Web Systems Architect
Web development to support SSO integration with current architecture
20. Usability Study Utilized public computer lab
Cross Section of Faculty & Staff
Computer Science Class
Distance Learning Students (WebCT)
22. Usability Study Results What the single sign-on easy for you to use?
Yes! I was unsure about it at first, but it seems to be a great product.
Yes, it’s much easier to use than trying to remember different passwords.
Yes, I love it!
Yes much better than old version.
The login enter was not easy to find, I love the single sign on.
Yes, keep up the good work!!!
23. Usability Study Results Cont. Do you have any suggestions for improvement?
Place warning message on those applications not included: tartan card, FACTS.
After changing password, the screen should return to the main page. It stays on the password change screen with no clickable options. Try adding a finished button to return to the portal.
Add Colleague as part of the single sign on for staff.
Strip logoff out of email.
Remove all password reset options.
Logout should close out all browser windows.
Logout button needs more visibility.
There is no link to Distance Learning website when you click on ‘DL’ under Instructional Bookmarks.
A screen asking “What’s my password under prospective student doesn’t make sense; you should have already used your password by this point.
How do I know its my account being addressed in WebCT and imail. Is there any way to display the username on the screen.
Don’t let them change their passwords.
24. Usability Study Results Cont.. Do you have any suggestions for communicating this new service to students?
Communicate, communicate, communicate
PC’s at Sinclair central may need reconfigured.
What are the password policy requirements? I tried to change my password and there were no guidelines. I could not change my password!
Add information about closing WebCT & perception windows on the my.sinclair logout page.
Got to get their attention re password security and logout importance. Text-only at logon screen not enough.
Include a flyer or magnet with book purchases. Maybe a screen saver message on all campus computers.
Mass email to accounts, teacher announcements, several college briefings, past upcoming change in the announcements page, inform counselor staff.
More on my.sinclair.
An email message to students.
Posters at Sinclair Central, registration and the divisional offices, allied health, business etc..
My students do not communicate via my.sinclair.edu and instructors use WebCT directly.
25. Phased Approach Team decided on phased approach
Phase 1 – Web e-Mail
Phase 2 – BlackBoard Portal
Phase 3 – WebCT & Perception
Phase 4 - WebAdvisor
26. Implementation Timeline
27. Implementation Timeline
28. Implementation Timeline
30. Internal Marketing Targeted emails
In person meetings
31. External Marketing 4 Easel Mounted Color Poster boards with flyer pockets
Placed in high traffic areas
8 Color Posters
Placed in student activity center
Mailbox where part-time faculty collect checks
Brightly Colored Flyers
Bookstore place in student plastic shopping bag
32. PC’s Wallpaper
33. Poster Board
34. Poster Board
35. External Marketing Cont. My.Sinclair.edu portal news
PC’s wallpaper in labs
Screen saver text
Campus new article
36. PC’s Wallpaper
39. Training Vendor Onsite intensive work sessions for 3 days
Second visit onsite for 2 days.
Remote support - Constant
No End User training – Simple communication is enough
40. Timing Release Registration
System work on production
41. Develop Parallel Test System Setup a duplicate system to mirror the production system
2 new test SSO servers
Linked to test application servers
They do share the AD and ADAM servers
42. Politics Concerns – Change is always uncomfortable for some
Issues – Getting buy in from all parties
Sponsorship - Executive Level
AD is critical for access to everything
Heightens fear especially in beta
Tolerance level for Beta needs to be understood and defined
43. How Does it Work Technology Overview
AD – Active Directory
ADAM – Active Directory Application Manager
45. Automation Provisioning – Adds users to an application via SSO
Password builds – auto generation and assignment
Extracts – reused the existing upload files for applications
Drop box for uploads – drop an extract in and it will provision automatically
Macros – for setting up new applications
46. Hardware Architecture For SSO and ADAM
2 Compaq DL380 G3 servers with 2-2.8 GHz processors and 4 GB RAM.
Load balanced behind 2 Foundry Server Iron switches.
AD is on a cluster of other servers
No changes to the target application servers
47. Security Issues
Is it secure enough?
Does one access point increase risk?
Encryption increased or present for first time
The overall system design is more secure now than it has ever been
48. Support Internal
SSO Implementation Team
Access to Simple Sign-On developers
Two in person visits
49. The Good Vendors support, fanatical
Easy to add new applications
Custom Integration possible
Increased user experience
Reduced login related support calls
50. The Bad Small company, limited resources
Beta, lots of revisions and bugs
Low tolerance for beta software
Lack of parallel test system to start with
51. The Ugly Web browser issues
Black and white lists
Diverse PC configurations
Apple browser support
Over coming change
Learning curve for concepts
52. What's Next Add more applications
Online Card Office
Integration of custom applications using the API
54. References Reference: The Free Encyclopedia, www.wikipedia.org
Version 3, www.ver3.com